This page should be sandboxed.

<script>
// We're not served with the extension default CSP, we can use inline script.

var sendResponse = function(msg) {
  var mainWindow = window.opener || window.top;
  mainWindow.postMessage(msg, '*');
};

var remote_frame_loaded = false;
window.addEventListener('securitypolicyviolation', function(e) {
  if (remote_frame_loaded)
    sendResponse('succeeded');
  else
    sendResponse('failed');
});

var loadFrameExpectResponse = function(iframe, url, isManifestV3) {
  var identifier = performance.now();
  return new Promise(function(resolve, reject) {
    window.addEventListener('message', function(e) {
      var data = JSON.parse(e.data);
      if (data[0] == 'local frame msg' && data[1] == identifier) {
        resolve();
      } else {
        reject();
      }
    });
    iframe.onerror = reject;
    iframe.onload = function() {
      if (isManifestV3) {
        // TODO(crbug.com/1219825): A manifest V3 extension's sandboxed frame
        // can't currently embed an extension's web_accessible iframe due to a
        // bug with our handling of web accessible resources. Even though the
        // iframe load fails, the onload event is raised. Early return in this
        // case. Note the test still makes sense since a CSP violation is not
        // raised while loading a local url.
        resolve();
        return;
      }
      iframe.contentWindow.postMessage(
          JSON.stringify(['sandboxed frame msg', identifier]), '*');
    };
    iframe.src = url;
  });
};

var runTestAndRespond = function(localUrl, remoteUrl, isManifestV3) {
  var iframe = document.createElement('iframe');

  // First load local resource in |iframe|, expect the local frame to respond.
  loadFrameExpectResponse(iframe, localUrl, isManifestV3).then(function() {
    // Then load remote resource in |iframe|, expect the navigation to be
    // blocked by the Content-Security-Policy.
    // Rely on the SecurityPolicyViolationEvent to detect that the frame has
    // been blocked.
    remote_frame_loaded = true;
    iframe.src = remoteUrl;
  });
  document.body.appendChild(iframe);
};

onmessage = function(e) {
  var command = JSON.parse(e.data);
  if (command[0] == 'load') {
    var localUrl = command[1];
    var remoteUrl = command[2];
    var isManifestV3 = command[3]
    runTestAndRespond(localUrl, remoteUrl, isManifestV3);
  }
};

</script>
